First, a little bit of history. Part of my job requires me to deliver cyber security training and capacity building activities to small security teams. In the beginning, I was using traditional table top exercises (TTX) and injects. You know, breakout those PowerPoint skills, have some printouts for each group and run through the scenario and injects as a collective.
This worked well for the most part, but I quickly found myself wanting to incorporate more and more aspects of the Incident Response process (technical troubleshooting, remediation, communications, information sharing etc). I started developing (and re-using) capture the flag events and incorporating these into my training. I soon discovered that the CTF type events, with hands-on components were really popular amongst participants and generated a lot more engagement than a TTX delivered over powerpoint.
After hearing about other cyber exercises, like CISA’s Cyberstorm Filigran’s OpenBAS, and the Airbus CyberRange I was inspired to go about creating a hybrid environment that combine a tabletop exercise with a basic cyber range. There wouldn’t be any attack and defend scenarios, but participants will be given access to a controlled environment, and be led through various injects – either through PowerPoint slides, or a verbal presentation. Most importantly, I had a budget of precisely $0 (Not quite – but the goal was to self-fund this piece of work, and to do it as cost effectively as possible).
Iteration #1 – Baby steps
Firstly, I needed a computer that would facilitate the running of any exercises. I didn’t just have any spare devices laying around, so would have to purchase something (and still on a pretty much non-existent budget). I knew my local landfill had a reycle centre that would sell things that were deemed too good to throw away, and this included recycled computers. I took myself up there to see what they had, and as luck would have it – I found myself a a mostly intact Toshiba Satellite laptop – for the princely sum of $20. The only problem being that I don’t know if it’s complete or would even power on. There was also no power cable included, but thankfully a 5 minute rummage through a large box of abandoned power bricks, I was able to locate a complete OEM power brick that matched perfectly (and only an additional $5) – off to a good start, I reckon.
Getting it home – and the first issue arises. The laptop didn’t come with a hard drive, and only a single stick of 4GB RAM. I was kind of expecting something like this, so I made an additional purchase for a 128GB SSD and another stick of RAM, bringing it up to 8GB. At this stage – I’m not sure what I will be doing with the laptop, so the extra RAM seemed like a reasonable upgrade. With these upgrades procured, I was ready to make a start – I installed Kali Linux and created some digital forensics live-boot flash drives (Sumuri Paladin).
So far, costs have been kept pretty minimal, and I had a setup that was able to provide that next level of interactivity. I had a container full of flash drives that participants could boot to, which included a forensic system image that could be worth through with PowerPoint injects / questions.
Still – something wasn’t quite right…
Iteration #2 – A temporary diversion
In the middle of developing these solutions, I found myself procuring an ex-business Lenovo ThinkCentre which I then used to deliver training on. Instead of Ubuntu, I kept the preinstalled version of Windows. I setup Docker desktop, and installed containers for both CyberChef and CTFd. I purchase a TP-Link travel router to act as a local Wi-Fi access point to provide a network to participants along with a 4-port switch for any wired connections I might need. I could now setup and run exercises to both small and large groups relatively seemlessly.
The problem I ran into was that I found myself bringing along a separate laptop anyway – since the ThinkCentre didn’t have a display, I would often need remote access to troubleshoot any issues, etc. This became a too cumbersome for my requirements, and the ThinkCentre was eventually relegated to the homelab for any future testing and tinkering.
Iteration #3 – Almost there
For the latest version of this system, I wanted to take it back another step. Getting participants to live-boot Paladin on their own devices would often take up time, or require going into BIOS to make changes. All of this meant that precious time would be wasted ensuring that everyone was able to get into the system (and often times, there were users who just couldn’t get it working no matter what was tried), and the ThinkCentre was just proving too difficult to bring around especially since much of the training required that I would have to jump on a plane – where space and weight are at a premium.
The goal now was to create a system where users could bring their own devices, and with minimal effort be up and running. This version would require starting again – this time with Ubuntu (server version) and installing tools on top of this. Some further hardware purchases were required. This time a TP-Link travel router to act as a Wi-Fi access point and a very small 4-port switch. The router is powered through the USB cable, to save the hassle of trying to find an additional power outlet at any training venues I might find myself in.
If you’ve read this far, you’re probably interested in how this system was put together – which will be detailed in Part 2 of this series.
DFIR.Dog 